Re: Storing Client Certificates
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 03/24/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Anyone out there using AzMan with WinForms solution?"
- Previous message: Chris Austin: "Problems with RSA.SignData"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Storing Client Certificates"
- Next in thread: Todd Bright: "RE: Storing Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Mar 2005 03:38:02 -0800
Hello Joe,
as i said - certificates are not secret.
i guess you want to secure a private key in some form. if you have to deal
with private keys in your application on the client you could encrypt the
file (as suggested before) - this would require password entry on application
startup (and this password will most likely end up for a long time in clear
text in memory) - you could use DPAPI for enryption - this would leverage
Windows single-signon.
..Or use the OS service that is specifically made for that : The Certificate
Store
container for storing certs/pub/priv keys, stored in user profile, roaming,
uses single-signon.
Have a look at CAPICOM - a COM lib to access the cert store - or use .NET
2.0 X509Certificate2, X509Store classes and friends.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> The client certificate or the private key for the client certificate?
> The certificate is public information. The private key is needed to
> sign or authenticate and is the secret part. It is stored separately,
> or they are packaged together in a P12 file.
>
> We are probably just mixing up terms here, but technically the
> certificate really is public and can't be used to authenticate.
>
> Joe K.
>
> "Todd Bright" <ToddBright@discussions.microsoft.com> wrote in message
> news:B5D31332-D613-4ED0-83C3-6E4BCE7B31ED@microsoft.com...
>
>> If someone hacked into the client machine and found the client cert
>> they
>> could send form posts and/or files over to our server. So I wanted
>> to
>> "hide"
>> the client cert so noone but my app either knows where it is or can
>> get to
>> it.
>> "Dominick Baier [DevelopMentor]" wrote:
>>
>>> Hello Todd,
>>>
>>> certs are no secret - a public key bundled with some extra info -
>>> why are you concerned with security?
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Is there a way in .Net to specify that an embedded resource can
>>>> only be accessed from within the assembly?
>>>>
>>>> Or, in general, what is the best/most secure way of storing a
>>>> client-side cert without having to have a user profile?
>>>>
>>>> Thanks,
>>>> Todd
- Next message: Dominick Baier [DevelopMentor]: "Re: Anyone out there using AzMan with WinForms solution?"
- Previous message: Chris Austin: "Problems with RSA.SignData"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Storing Client Certificates"
- Next in thread: Todd Bright: "RE: Storing Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
